Enabling Engineering Lifecycle Management applications for Jazz Security Architecture single sign-on

Jazz Security Architecture single sign-on (SSO) is an authentication protocol based on the OpenID Connect authentication protocol. It is an alternative method of single sign-on authentication to Kerberos/SPNEGO SSO, WebSphere® Liberty server with Lightweight Third-Party Authentication (LTPA) SSO. You can enable Jazz Security Architecture SSO authentication for existing IBM Engineering Lifecycle Management deployments by using repository tools commands.

Before you begin

Important: Before you can enable single sign-on authentication, the Jazz® Team Server and any Engineering Lifecycle Management applications that will be enabled must be upgraded to version 6.0 or later. The upgrade must be complete and verified.

Important: The procedure applies to Engineering Lifecycle Management applications that have repotools command scripts: Jazz Team Server, Change and Configuration Management, Data Collection Component, Global Configuration Management, Engineering Test Management, Engineering Insights, and Requirements Management.

To enable existing Report Builder and Lifecycle Query Engine applications for single sign-on, see the related links at the end of this topic.

About this task

To enable Jazz Security Architecture SSO for existing Engineering Lifecycle Management deployments, you must enable both the Engineering Lifecycle Management applications and the Jazz Team Server where the applications are registered. All applications do not need to be enabled at the same time. However, the login experience is not a single sign-on process until all applications are enabled.

While the servers are online, you run the prepareJsaSsoMigration command to prepare for the migration and create the data files that are needed by the migrateToJsaSso command. Then, while the servers are offline, you run the migrateToJsaSso command to enable single sign-on authentication.

Procedure

Verify that the Jazz Team Server and other applications are at version 6.0 or later.
In the Jazz Team Server installation directory, run the prepareJsaSsoMigration repotool command. For information about how to use the command and the parameters that must be passed, see Repository tools command to prepare an Engineering Lifecycle Management application for Jazz Security Architecture single sign-on.

Note: You must pass values for the repositoryURL, adminUserId, and adminPassword attributes in the prepareJsaSsoMigration repotool command for the command to run successfully.

A data file is created in the working directory. By default, the file is named jts-ssoMigrationData.json. The file lists the registered OAuth consumers, friend servers, and registered applications for the Jazz Team Server.
Edit the data file that you created in step 2 and remove any friend servers or registered applications that will not be enabled for single sign-on authentication.
1. Go to the friends section of the file.
2. Delete the associated block of lines that are delimited by braces ({ and }).
Important: If Report Builder and Lifecycle Query Engine entries are included as registered applications in the friends section of the data file, these applications must be enabled for single sign-on authentication. Otherwise, the applications will not function correctly. For more information, see the related links at the end of this topic.

Important: Do not modify the consumers section of the file.
Similarly, run the prepareJsaSsoMigration command for each Engineering Lifecycle Management application that will be enabled for single sign-on authentication.
By default, data files that are named application-ssoMigrationData.json are created, where application is ccm, dcc, gc, qm, or rm. Each data file lists friends of the associated application.
Edit each data file that you created in step 4 and remove any friends that will not be enabled for single sign-on authentication.
1. Go to the friends section of the file.
2. Delete the associated block of lines that are delimited by braces ({ and }).
Important: Do not modify the consumers section of the file.
Stop all the servers.
Install the Jazz Authorization Server. For more information, see Installing IBM Engineering Lifecycle Management by using IBM Installation Manager.
Verify that the Jazz Authorization Server is configured correctly and running. For more information, see Deploying and starting Jazz Authorization Server.
- If a Lightweight Directory Access Protocol (LDAP) user registry was used previously, configure the Jazz Authorization Server with the same LDAP registry.
- If an Apache Tomcat user registry was used previously, you must migrate users to the IBM IBM WebSphere Liberty basic user registry. Jazz Authorization Server is based on the WebSphere Liberty server. Because Jazz Authorization Server authenticates users, it must be configured with a user registry instead of using Apache Tomcat server or WebSphere Liberty server that Engineering Lifecycle Management applications are deployed on.
Enable the Jazz Team Server for single sign-on authentication. In the Jazz Team Server installation directory, run the repotools-jts -migrateToJsaSso command. By default, the command reads the jts-ssoMigrationData.json file in the working directory.
Similarly, run the migrateToJsaSso command for each Engineering Lifecycle Management application that will be enabled for single sign-on authentication.

Note: The application commands require both their own data file and the Jazz Team Server data file. If the applications are deployed on different host computers than the Jazz Team Server, you must copy the Jazz Team Server data file to the working directory on each host.
Restart the servers.
Optional: If you have Lifecycle Query Engine or Link Index Provider, see Enabling Lifecycle Query Engine for Jazz Security Architecture single sign-on.
Optional: f you have Report Builder, see Enabling Report Builder for Jazz Security Architecture single sign-on.

Results

The single sign-on authentication is enabled.